Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insufficient scope error caused by undefined field in jwtAuthz #47

Open
afilazzola opened this issue Aug 12, 2022 · 5 comments
Open

Insufficient scope error caused by undefined field in jwtAuthz #47

afilazzola opened this issue Aug 12, 2022 · 5 comments

Comments

@afilazzola
Copy link

afilazzola commented Aug 12, 2022

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

The field selection from jwtAuthz function appear to be incorrect. I was running into the exact same issue as reported here. Except specifying a customScopeKey did not solve the problem. Looking at the output of the request and the function itself, there is no field on the JWT token called user but that is what the function is requesting. Revising the userKey field to auth corrects the behaviour.

Reproduction

The middleware I was using:
app.get('/userbased', checkJwt, jwtAuthz(['read:ssim']), (req, res) => { console.log('Request', req['auth']); res.send('Role based user authentication is working'); });

The edit I made to the jwtAuthz function
let userKey = 'auth';

Environment

Please provide the following:

  • Version of this library used: express-jwt-authz@2.4.1
  • Version of the platform or framework used, if applicable: NodeJS & React
  • Other modules/plugins/libraries that might be involved: jwks-rsa & express-jwt for JWT authentication
@henryspivey
Copy link

henryspivey commented Sep 17, 2022

I'm getting the same error, "Insufficient Scope" as mentioned above
I am running:
"express": "^4.18.1",
"express-jwt": "^7.7.5",
"express-jwt-authz": "^2.4.1",

As suggested above, doing let userKey = 'auth' fixed the issue.

@luisr-carrillo
Copy link

As you commented, customUserKey: 'auth' fixed the issue.

But I have to change my Auth0 API settings, on the API dashboard then 'RBAC Settings' I actived 'Enable RBAC' and 'Add Permissions in the Access Token'.

This is my final config.
export const checkPermissions = (permissions: string[]) => { return jwtAuthz(permissions, { customScopeKey: 'permissions', customUserKey: 'auth' }); };

@danielwagn3r
Copy link

danielwagn3r commented Sep 19, 2022

I've noticed this error as well. However in my case, I didn't use any additional properties in the JWT for RBAC or other stuff, I just used the standard scope parameter to check for client permissions (in my case it's a m2m use-case).

Didn't get it working with this package and therefore looked at https://github.com/benrei/express-jwt-scope

Used this versions:
"express": "^4.18.1",
"express-jwt": "^7.7.5",
"express-jwt-authz": "^2.4.1",

@bjornol
Copy link

bjornol commented Sep 28, 2022

Same issue here on versions

"express": "^4.18.1",
"express-jwt": "^7.7.5",
"express-jwt-authz": "^2.4.1"

Solution from afilazzola works.

The problem is caused by the express-jwt v6 upgrade where the decoded JWT payload is now available as req.auth rather than req.user. See migration points (Migration from v6) in the express-jwt description. https://github.com/auth0/express-jwt

@FSou1
Copy link

FSou1 commented Feb 22, 2023

Same.

Make sure you use express-jwt, because express-jwt-authz depends on that package under the hood.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants